Embed Size (px)
Citation preview
©2012 Dell SonicWALL
Brought to you compliments of:
How Traditional Firewalls Fail Today’s Networks — And Why Next-Generation Firewalls Will PrevailWhy your current firewall may be jeopardizing your security, and how you can counter today’s threats, manage web 2.0 apps and enforce acceptable-use policies.
Contents What’s Wrong with Traditional Firewalls? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Stopping Malware, Intrusions and Advanced Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Inspecting SSL Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Controlling Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Managing Users and Use Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Trading Off Security Against Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
How Dell SonicWALL Next-Generation Firewalls Provide Answers . . . . . . . . . . . . . . . . . . . . . . . 8
2 ©2012 Dell SonicWALL
Return to top
What’s Wrong with Traditional Firewalls?
If your company has a traditional firewall, it is probably jeopardizing your security and costing you money.
Why? Firewalls are an essential part of network security, but most are very limited. They can close unneeded ports, apply routing rules to packets and fend off denial-of-service attacks. But they can’t look inside packets to detect malware, identify hacker activity or help you manage what end users are doing on the Internet.
Basically, once a port is open (say, port 80 for Internet traffic), anything can come through disguised as legitimate traffic.
Traditional firewalls can also be expensive to operate, especially if you need to supplement them with additional security technologies.
This white paper will explain exactly where traditional firewalls fall short, how Next-Generation Firewalls fill those gaps, and how Next-Generation Firewalls can help you:
• Reducecosts.
• Detectmoreattacks.
• Enforceappropriateuseofsocialmediaandweb2.0apps.
• Ensurethathigh-prioritybusinessapplicationsperformbetter.
• Identifydepartmentsandindividualswhoengageinriskyornonproductivebehaviors.
• Provideexcellentnetworkperformancewithoutcompromisingsecurity.
You can think of a traditional firewall as a receiving
clerk at the loading dock. The clerk can open and
close cargo bays and turn away some delivery
trucks, but he has no visibility into the contents
of the trucks. He can’t tell if they contain illegal
substances. He also can’t stop people from
flooding the mailroom with items unrelated to
work, because he doesn’t know who in the building
is sending and receiving packages.
3 ©2012 Dell SonicWALL
Return to top
Stopping Malware, Intrusions and Advanced Attacks
Traditional FirewallsTraditional firewalls provide only a part of the network security organizations need.
Because they are so limited, most organizations supplement them with other network security technologiessuchasgatewayanti-malwareproducts,intrusionpreventionsystems(IPS),andcontentorURLfilteringpackages.Theseblockmalware,helpdetectattacksandpreventusersfrom accessing web sites with malware.
Butmanagingseveralseparatesecuritytoolsiscostly.First,youneedmultiplelicenses.Second,for each product, your systems administrators must master the intricacies of configuring hardware and software, setting rules, creating reports and monitoring events. You might even need to dedicate specialists to each system.
This duplication also undermines security, because it is very difficult to correlate data from multiple products to detect and respond to fast-moving attacks.
Next-Generation FirewallsNext-Generation Firewalls provide multiple network security technologies in one package. They combine the features of traditional firewalls, gateway anti-malware products, intrusion prevention systems and content filtering packages.
All of these security technologies can be installed, configured, deployed and managed as a unit, which greatly reduces administrative costs.
And because all event data is available through one reporting system, it is much easier to identify threats early and take appropriate measures, before security has been compromised.
A Next-Generation Firewall can:
• Blockviruses,Trojans,worms,rootkitsandpolymorphic“zero-day”malwareatthegateway, before they reach the corporate network.
• Prevent“drive-bydownloads”frominfectedwebsites.
• Mitigatedenial-of-serviceandfloodingattacks.
• Detectprotocolanomaliesandbufferoverflowattacks.
• StopnetworktrafficfromgeographicalregionsandIPaddressesassociatedwithcybercriminals.
• Blockoutboundbotnet“commandandcontrol”traffic.
• Preventemployeesfromvisitingwebsitescontainingcontentrelatedtopornography,substanceabuse,gambling,hatecrimesandotherobjectionabletopics.
4 ©2012 Dell SonicWALL
Return to top
Inspecting SSL Traffic
Traditional FirewallsRetailers,banksandotherorganizationsusetheSecureSocketsLayer(SSL)protocoltoprotectsensitive information sent between their web sites and their customers’. Other companies can’t blockSSLtraffic,becauseithasmanylegitimateandnecessaryuses.
Unfortunately,traditionalfirewallscan’tdecryptandinspectSSLtraffic.
That means that hackers and cybercriminals can smuggle malware right through the firewall justbyconcealingitinSSLtraffic.
Also,botnetsandthecreatorsofadvancedpersistentthreats(APTs)oftencreateSSLtunnelsfrominside out to exchange command-and-control messages with their servers, and exfiltrate files.
Next-Generation FirewallsNext-GenerationFirewallsutilizeDeepPacketInspection(DPI)technologytodecryptandinspectSSLtrafficintoandoutofthenetwork.
ThatmeansyoucandetectandblockmalwareconcealedinSSLtraffic.
It also means you can detect and stop botnet command-and-control messages, and prevent APTsfromusingSSLtoexfiltrateyourcustomerlists,engineeringdesigns,tradesecretsandother confidential information.
5 ©2012 Dell SonicWALL
Return to top
Controlling Web Applications
Traditional FirewallsTraditional firewalls cannot associate network traffic with specific applications. They are not “application-aware.”
Traditional firewalls have no way to:
• Blockdangerousapplications.
• Controlapplicationsthathavelegitimateusesbutarealsosubjecttoabuse.
• Visualizeandcontroltrafficbyapplication.
In today’s world, where software applications are the lifeblood of business, this lack of application control is a serious deficiency.
Next-Generation FirewallsNext-Generation Firewalls offer application intelligence and control. That means they can recognize traffic belonging to specific applications and enforce corporate acceptable-use policies. They can even allocate bandwidth to high-priority applications.
In addition, Next-Generation Firewalls allow administrators to monitor and visualize network traffic. They can observe traffic volumes by application, spot bandwidth hogs and determine why traffic slows at peak periods during the day. Application traffic visualization gives you a powerful new tool to troubleshoot problems and plan network capacity.
Next-Generation Firewalls can:
• Blockapplicationsthatendangersecurityorreduceproductivity,suchaspeer-to-peerfilesharingandFTPfiletransfers.
• Controllegitimateapplicationsthataresubjecttoabuse— for example, allowing instant messaging programs to exchange text but not transfer files.
• Limitapplicationstocertaintimesofday—forinstance,allowingaccesstomulti-playergamesonlyafterbusinesshours.
• Ensurethathigh-priorityapplications(customerrelationship management, order processing) will get more bandwidth thanlessurgentapplications(chat,videostreaming).
Malware/Intrusions Blocked
Spyware
BotNets
Viruses
Worms
Unacceptable Apps Blocked
Critical Apps Prioritized Bandwidth
Acceptable Apps Managed Bandwidth
Spyware
BotNets
Viruses
Worms
PA NDOR A®
6 ©2012 Dell SonicWALL
Return to top
Managing Users and Use Policies
Traditional FirewallsTraditionalfirewallshavenowayofconnectingnetworktrafficwithusers.Suspicioustrafficcannot be associated with individual users, except through the laborious process of pouring through log files.
Traditional firewalls cannot:
• EnforceInternetacceptable-usepolicies.
• Provideinsightintoapplicationusage.
• Identifywhichusersareusingdangerousapplicationsorsurfingtocompromised web sites.
• Limitsocialnetworkingapplicationstogroupsthathaveabusinessneedtousethem.
• Improvenetworkperformanceforhigh-prioritygroups.
Next-Generation FirewallsNext-Generation Firewalls allow application control to be applied at user group and individual levels, which allows you to enforce acceptable-use policies at a granular level.
Facebook,Twitter,LinkedInandothersocialmediasitesmayaccountforhundredsofnonproduc-tive hours for many employees. However, the marketing and human resources departments may have good reasons to access these sites, including to promote products and services, assess consumer sentiment and find job candidates. A Next-Generation Firewall could:
• EnforcecompanypoliciesbygivingmarketingandHRaccesstosocialmediasiteswhileblocking access for employees in other groups.
• AlloweveryonetoposttextandphotosonFacebook,butnotplayFacebook-relatedgames.
• PermitengineeringandITtostreamtechnicalvideosduringworkhours,butallowotheremployees to stream video only at night.
• Allocatemorebandwidthtoexecutivemanagementandselecteddepartments.
Traffic visualization allows administrators to not only monitor network traffic by application, but also identify specific employees who pose security risks or inadvertently affect productivity — for example, by downloading massive files or streaming long videos during peak periods.
7 ©2012 Dell SonicWALL
Return to top
Trading Off Security Against Performance
Traditional FirewallsTraditional firewalls often force administrators to trade off security against performance.
If administrators activate all security measures, the firewall may hold up network traffic. Then users complain about bad network performance, slow response times and long file downloads.
Soadministratorscompromisebyturningoffmonitoringoncertainports,disablingfirewall rules and limiting deep packet inspection.
Or they limit the size of email attachments, which affects user productivity.
This creates a dilemma: Face user complaints today, or increase the risk of a security breach tomorrow.
Next-Generation FirewallsNext-Generation Firewalls have far higher throughput, so administrators don’t have to trade off security for performance.
Factors that enhance performance include:
• Processorswithfasterclockspeeds.
• CPUsdesignedtounderstandnetworkcommunicationsandperformsecurityscanning.
• Parallelprocessingarchitectures.
• Moreefficientapproachestodeeppacketinspection.
You should never have to compromise security to maintain acceptable performance.
8 ©2012 Dell SonicWALL
Return to top
DellSonicWALLoffersawiderangeofNext-GenerationFirewallsthataddresstheshortcomingsof traditional firewalls.
Stop malware, intrusions and advanced attacksDellSonicWALLNext-GenerationFirewalls,unifiedthreatmanagementfirewallsandrelatedproducts offer a complete set of network security technologies in one package, including gateway anti-malware, intrusion prevention and content filtering.
The integrated package is easy to install, configure and manage.
Inspect SSL trafficThefirewallsperformhigh-speeddecryptionandinspectionofinboundandoutboundSSLtraffic.
Application intelligence and controlDellSonicWALLNext-GenerationFirewallsrecognizeover4,500enterprise,desktopandweb-based applications; block and control them individually; and provide charts to visualize network traffic by application.
Visibility into usersThefirewallsintegratewithActiveDirectoryandLDAPdirectoriessothey can identify network traffic by user and user group, and apply application usage and bandwidth control policies selectively by group and user.
They also allow administrators to drill down to application use by individuals and enforce acceptable-use policies at a high level of granularity.
High performance and scalabilityDellSonicWALLNext-GenerationFirewallsfeatureCPUsdesignedforsecurityprocessing and parallel-processing hardware architectures.
AuniqueReassembly-FreeDeepPacketInspection™(RFDPI)enginecanscanagainst multiple application types and protocols at extremely high speeds, with no upper limit on file size or the amount of concurrent traffic.
A wide choice of models allows a single set of security features to be deployed very cost effectively in small offices, and with massive scalability in very large ones.
Dell SonicWALL Next-Generation Firewalls provide:
• Traditionalfirewallstatefulpacketfiltering
• Gatewayanti-malware
• Intrusionprevention
• Contentfiltering
• Spamfiltering
• Applicationintelligenceandcontrol
• Uservisibilityandmanagement
• Emailsecurity
• SecureremoteaccessforIPsecandSSLVPNs
How Dell Sonicwall Next-Generation Firewalls Provide Answers
9 ©2012 Dell SonicWALL
Return to top
Backed by an industry leaderDellSonicWALLisanindustryleaderwithanoutstandingmalwareresearchgroup,compre-hensive24/7customersupportandanunparalleledtrackrecordofinnovation.Assuch,DellSonicWALLhasreceivednumerousindustryawardsandtop-rankedresultsfromindependentresearchorganizationssuchasICSALabsandNSSLabs.
If you have a traditional firewall…If you have a traditional firewall, you are getting too little security and wasting too much time and money.
To learn more about Next-Generation Firewalls from Dell SonicWALL, please visit http://www.sonicwall.com/us/en/products/Network_Security.html .
Dell SonicWALL Next-Gen Firewalls & Unified Threat Management Firewalls
SuperMassive E10000 Series
Data center, ISPs
E-Class NSA Series
Medium to large organizations
NSA Series
Branch offices and medium sized organizations
TZ Series
Small and remote offices
E10800 E10400 E10200
TZ 215 TZ 205 TZ 105
NSA E5500NSA E8510 NSA E8500 NSA E6500
NSA 4500 NSA 3500 NSA 2400 NSA 220NSA 450M
